Topics

I don't know if it has something with the update to do, but after upgrading to 24.7.12 my (since long time working) client OpnSense server can no longer connect to the main site.I see lots of these messages in the log

2025-01-23T15:38:11   Notice   openvpn_server1   MANAGEMENT: Client disconnected   
2025-01-23T15:38:11   Notice   openvpn_server1   MANAGEMENT: CMD 'state'   
2025-01-23T15:38:11   Notice   openvpn_server1   MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock   
2025-01-23T15:38:11   Notice   openvpn_server1   MANAGEMENT: Client disconnected   
2025-01-23T15:38:11   Notice   openvpn_server1   MANAGEMENT: CMD 'status 3'   
2025-01-23T15:38:11   Notice   openvpn_server1   MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock   
2025-01-23T15:38:01   Notice   openvpn_server1   MANAGEMENT: Client disconnected   
2025-01-23T15:38:01   Notice   openvpn_server1   MANAGEMENT: CMD 'state'

On my home network, I have requested a /56 from my ISP. It is easy to get ipv6 on the LAN interface via track interface, but how can I get ipv6 to the other two internal interfaces on the firewall?

Gunnar

As in Topic. OpenVPN widget gives correct data on the client Dashboard, but on the server side it says

OpenVPN Client Connections
Server SSL VPN mot Ornoweather
No clients connected

Small but annoying error

With the old dashboard, looking at interfaces I could see both DHCP address for ipv4 and ipv6 on the WAN interface. With the new dashboard only the address for ipv4 is visible. I still get an dhcp6 ipv6 address though. So it is more cosmetics

By being clumsy, I assigned a static address to one of my devices, that is already assigned to another client. There is no "Edit" button for static IP addresses? So how do i proceed.

Earlier I had speedtest-cli installed on my opnsense box. It seems to have disappeared. Is there som kind of  WAN speedtest tool in the plugins or some other way?

Hi!

I've very well working ipv6, and one of the peers provided by pool.ntp.org happens to be a ipv6 server. But it never reaches Active or Candidate peer.

Status from the firewall in attached file

It is not of very big importance to have ipv6 peers, just a bit fun if it works

It's all in the subject. rebooting after upgrade and my VPN to the other OPNsense is blown away

I have a firewall with native ipv6 from my ISP. using dhcpv6 I get a /56

The clients gets addresses properly, but there is something weird with the routing If I ping googleI get
ping 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
64 bytes from 2001:4860:4860::8888: icmp_seq=1 ttl=60 time=2.80 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=2 ttl=60 time=2.87 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=3 ttl=60 time=3.01 ms
64 bytes from 2001:4860:4860::8888: icmp_seq=4 ttl=60 time=3.13 ms

if I ping another ipv6 destination I get:

ping 2001:67c:d8:ed80::87
PING 2001:67c:d8:ed80::87(2001:67c:d8:ed80::87) 56 data bytes
^C
--- 2001:67c:d8:ed80::87 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 298ms

This is a legitimate ipv6 address

If I traceroute google I get:

traceroute6 2001:4860:4860::8888
traceroute to 2001:4860:4860::8888 (2001:4860:4860::8888), 30 hops max, 80 byte packets
1  OPNsense.gflygt.se (2001:9b0:21d:XXXX:XXX:XXXX:fe51:6da9)  0.741 ms  0.494 ms  0.341 ms
2  2a01:2b0:2000:152::2 (2a01:2b0:2000:152::2)  2.135 ms  2.157 ms  2.192 ms
3  2a01:2b0:2000:152::5 (2a01:2b0:2000:152::5)  2.734 ms  2.591 ms  2.620 ms
4  2001:4860:1:1::efc (2001:4860:1:1::efc)  2.963 ms  2.825 ms  2.791 ms
5  2a00:1450:810a::1 (2a00:1450:810a::1)  3.888 ms 2a00:1450:80b2::1 (2a00:1450:80b2::1)  3.745 ms 2a00:1450:8112::1 (2a00:1450:8112::1)  2.604 ms
6  dns.google (2001:4860:4860::8888)  2.680 ms 2001:4860:0:1::b7c (2001:4860:0:1::b7c)  3.972 ms  3.714 ms

If I traceroute the other address (mail-1.sr.se) I get:
traceroute6 2001:67c:d8:ed80::87
traceroute to 2001:67c:d8:ed80::87 (2001:67c:d8:ed80::87), 30 hops max, 80 byte packets
1  OPNsense.gflygt.se (2001:9b0:21d:XXXX:XXX:XXXX:fe51:6da9)  0.695 ms  0.440 ms  0.542 ms
2  OPNsense.gflygt.se (2001:9b0:21d:XXXX:XXX:XXXX:fe51:6da9)  0.401 ms !N  0.478 ms !N  0.349 ms !N

(I obfuscated my ipv6 address a little)
ie it stops at the LAN address on my firewall.

So traceroute to google works fine, but not the other ordinary host. I can reach both hosts on my other firewall where I have tunneled ipv6!

It was fully working a while ago. I don't remember from which version of OPNsense it stopped working

Gunnar

I just upgraded to 22.7.1 on my firewall with native ipv6 enabled. And the clients on the Lan doesn't get ipv6 addresses.

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.61  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::144c:494d:4836:2c33  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:37:6f:4c  txqueuelen 1000  (Ethernet)
        RX packets 3466  bytes 729753 (712.6 KiB)
        RX errors 1  dropped 1  overruns 0  frame 0
        TX packets 3075  bytes 1900898 (1.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Nothing changed in the config.

It looks fine in the Dashboard. LAN gets the address it should.

UPDATE: I get address (it took some time but it appeared) for my tested client, but I can't ping hosts on the Internet.

I can ping the LAN interface on the router, but not further. And a traceroute6 to an external host gives only the LAN interface.

***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.8 (amd64/OpenSSL) at Sun Jun 12 08:49:19 CEST 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (1 candidates): . done
Processing candidates (1 candidates): . done
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
   opnsense: 22.1.8 -> 22.1.8_1

Number of packages to be upgraded: 1

4 MiB to be downloaded.
[1/1] Fetching opnsense-22.1.8_1.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/1] Upgrading opnsense from 22.1.8 to 22.1.8_1...
[1/1] Extracting opnsense-22.1.8_1: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh'
Writing firmware setting...done.
Writing trust files...done.
Configuring login behaviour...done.
Configuring system logging...done.
=====
Message from opnsense-22.1.8_1:

--
Owl be watching you
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0

>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.

pkg-static: No packages available to install matching 'python37' have been found in the repositories
pkg-static: No packages available to install matching 'py37-setuptools' have been found in the repositories
>>> Summary of actions performed:

python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed

>>> There are still missing dependencies.
>>> Try fixing them manually.

>>> Also make sure to check 'pkg updating' for known issues.
The following package files will be deleted:
   /var/cache/pkg/opnsense-22.1.8_1~cb594b0a31.pkg
   /var/cache/pkg/opnsense-22.1.8_1.pkg
The cleanup will free 4 MiB
Deleting files: .. done
All done
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***

My ISP provides me with a /56 range of ipv6. My clients gets ipv6 addresses, but dhcpv6 doesn't provide a default route. It did work a while ago. I haven´t changed my config, so what can be wrong.

I have a problem with my ISP. I can't get a permanent ipv4 address for my main firewall access point. This means that if I reboot after an upgrade, I may sit there with a new public ip address, which means that my both sites won't be able to set up the VPN I have between the sites.

My thought then would be a cron script (on the remote firewall) checking (once a day) the public ip address on the main site (yes it's reachable via DNS), retrieve the new address and then change the ip-address in the client VPN setup, and reload the VPN system (OpenVPN used)

Is this possible (yes of course  :) but how?)

The Subject says it all. I've had native ipv6 running for 2 years now. From upgrade to ver 22 DHCPv6 Server does not start. My configuration is untouched.

All in the Subject. Upgraded from 21.7.1 to 21.7.2 And Open VPN starts the service in both ends, and says the service is running, but no traffic can be established between the end points.

Nothing else has been changed, just the upgrade. I also made the latest upgrade to 21.7.2_1 on both nodes. Result the same

All of a sudden the default route is lost after a while, since the upgrade to 21.7.

If I set the route manually it is there a few days, then suddenly lost again. I have ipv6 tunnel
via Hurricane Electric.

I just upgraded to the latest distro in the 21.1 branch, and OpenVPN doesn't start! This is truly weird. I have OpnSense on my two sites. After upgrade the OpenVPN indicator in the dashboard says that it is not working. And on the OpenVPN status page it says Service not running?

BUT! I can reach my other site via VPN!!?? Weird

from the upgraded server:
root@OPNsense:~ # ps ax | grep openvpn
92767  -  Ss    0:00.53 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf

So the service is running, but it doesn't indicate so in the GUI.

I have two firewalls running OPNsense. On both of them I have set up ntp time syncronization. On box number 1 I get, if turning off ntp service)
root@OPNsense:~ # ntpdate 193.182.111.12
12 May 12:59:40 ntpdate[13215]: no server suitable for synchronization found

and on this box the service does not work!!! ??? And when staring NTP service I get "No active peers available"

On the other:
root@OPNsense:~ # ntpdate 193.182.111.12
12 May 13:08:27 ntpdate[97654]: adjust time server 193.182.111.12 offset +0.002239 sec

Works as expected.

No strange own rules on neither box!

Gunnar

I've configured my wan for getting a ::/56 from my ISP. For some reason it doesn't work. They say they are full compliant to answering dhcpv6

A small tcpdump from my opnsense:
oot@OPNsense:~ # tcpdump -i igb0 -n -vv '(udp port 546 or 547) or icmp6'
tcpdump: listening on igb0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:30:17.484214 IP6 (hlim 1, next-header UDP (17) payload length: 89) fe80::20d:b9ff:fe51:6da8.546 > ff02::1:2.547: [bad udp cksum 0x25f8 -> 0x2737!] dhcp6 solicit (xid=124cce (client-ID hwaddr/time type 1 time 640886699 a0cec8ce700d) (elapsed-time 65535) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/56 pltime:4294967295 vltime:4294967295)))
17:32:19.326508 IP6 (hlim 1, next-header UDP (17) payload length: 89) fe80::20d:b9ff:fe51:6da8.546 > ff02::1:2.547: [bad udp cksum 0x25f8 -> 0x2737!] dhcp6 solicit (xid=124cce (client-ID hwaddr/time type 1 time 640886699 a0cec8ce700d) (elapsed-time 65535) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/56 pltime:4294967295 vltime:4294967295)))

I've checked the implicit rules generated When activating ipv6 on the WAN, and it looks ok, as far as I understand. But I still don't get ipv6.

From my wan configuration

ipv6 Configuration type: DHCPv6
Request only an ipv6 prefix: Yes
Prefix delegation size: 56
Send ipv6 prefix hint: Yes
Prevent release: Yes

Gunnar

I've tried several times now, to upgrade my 19.1 to 19.7 I unlock the upgrade and push the Upgrade now button. It then starts to download, reboot, and when I log in again I'm still on 19.1

I've also tried upgrading from the console and choose 19.7 when appropriate. Same result, after reboot still running 19.1

When  looking in updates it looks like this:

Package Name   Current Version   New Version   Required Action
base                   19.7.3          19.1.8          upgrade

Which is plain nonsense.

In the Dashboard it says:

Versions   OPNsense 19.1.10_1-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019